Random authentication issues with Windows AD domain

[mark.chamberlain]

Hi All,

I'm looking for some help and ideas about a problem I'm having with our company network. I realise this problem is random and intermittent and my explanation will probably seem vague, so any pointers or more questions will be gratefully received.

Firstly, I started with the company just over 3 weeks ago so I am still finding my way around and learning the structure. So please bear with me and if any questions need answering, I will go and find the information.

Firstly our set up, we are running one Windows 2003 Server as our Exchange and AD server. We have several other Windows 2003 and 2000 Servers running on the network running various programs such as IIS and SQL Server. We have around 40-50 Windows XP clients, and one Windows 98 that I am assured doesn't get turned on very often!

In the last week, we have started to see some strange problems with authentication. I have noticed it on my PC and on other users. For instance, I can log in to my computer in the morning fine, my exchange e-mail will be fine, but when I try and access my My Documents which is mapped to share on the AD server, it will ask for my username and password. If I type in my username with the DOMAIN\ prefix, it will tell me that this has already been attempted and to use another. If I, for instance, use the domain admin account then it will log in fine.

This is random and intermittent though, and so sometimes it will go through without any problems.

I also saw it today allowing to full access (as I should have) to a folder inside a share on one of our servers, but then completely denying me write access to another folder in that share. All the folders in the share were accessible last week for the same task and nothing has changed at all. I suspect I could try tomorrow and it would work fine.

We don't make a great use of the AD OU's to be honest (a task I want to look in to when I get time) and there is only myself and the IT Manager here, and neither of us have made any significant changes that we can think of.

As I said, I realise this is very vague, but if somebody could even begin to point me in the right direction it would be great, as currently I don't even know where to look for the answers to this one.

Cheers,

Mark.

[cluberti]

Well, for starters, the memory requirements of Exchange 2003 and the memory requirements of Active Directory mean that these should never, EVER be on the same server unless it's an SBS server (and even then it's a hack to get both working properly that I would not recommend anywhere else, as it is unsupported outside of SBS).

You will likely find that splitting Exchange, AD, and File Server duties to 3 machines (buy a beefy box and use virtual servers if hardware cost is an issue) will rectify the issue. Normally what happens is that when you start to run low on kernel resources, something AD depends on quite heavily, you'll end up with odd auth issues. Noting that Exchange 2003 requires the usage of the /3GB switch, you've already cut in half the amount of kernel memory available to the server (/3GB in boot.ini == only 1GB of VA available for the kernel). File servers are relatively heavy users of AD, and Exchange is a VERY heavy user of AD. So what they've done, in essence, is put two very AD-reliant products on the AD server itself, and reduced the amount of kernel memory available to assist in those AD duties. With 50 - 60 clients, you should have at least 4 servers - 2x AD servers, 1x Exchange server, and 1x File server.

[mark.chamberlain]

Hi, thanks for the reply.

Sorry, yes it is an SBS.

But I do see your points about the server becomming overloaded. Is it worth doing some tracking or monitoring of the server to see how hard it is being hit on a day to day basis?

[cluberti]

Hi, thanks for the reply.

Sorry, yes it is an SBS.

But I do see your points about the server becomming overloaded. Is it worth doing some tracking or monitoring of the server to see how hard it is being hit on a day to day basis?

Yes, using the perfmon utility, add the memory counters for all objects to see what is happening. Also, enabling auditing on logon/logoff events and auth events might give more insight into the error codes on failures you see.

[mark.chamberlain]

Well there is the odd Logon Failure event in the Security Log, but nothing specific, it just says the following:

Service Ticket Request:

User Name:

User Domain:

Service Name:

Service ID: -

Ticket Options: 0x2

Ticket Encryption Type: -

Client Address: 128.2.0.112

Failure Code: 0x25

Logon GUID: -

Transited Services: -

I had trouble again this morning with permissions on a specific share on a server on the network, I can access one folder under the share but not another. I had the same yesterday morning but yesterday afternoon the folder was working fine. The server that the share is located on is showing no security errors in it's log and I also can't tie in any on the main AD server to the time of the authentication error.

I've run up perfmon and added all the memory stats, there seems to be a large amount of Page Faults and also Transission Faults at the same time. The network card bandwidth also sits at the top of the scale at 100, but from what I can work out the scale for network bandwidth isn't in percent, so I'm not sure how relevant it is?

Edited September 23, 2008 by mark.chamberlain

[cluberti]

What network card is in that server?

[mark.chamberlain]

It's an Intel PRO/1000MT running through a normal Ethernet (not Gigabit) port. The server itself is a Dell PowerEdge 2800.